Phone icon +45 45 34 44 00
Book meeting

Documentation

8. Manage User Profiles

Management of profiles for your collaborators and end users must be thought through early in the development process. This involves defining different access and authorization profiles so that each person can only access the data they actually need.

Good Practices for User Management

  • It all starts with use of unique and individual identifiers, whether it concerns users of your application or development collaborators.

  • Make sure to require authentication before any access to personal data, in accordance with CNIL’s recommendations.

  • To ensure that each person (user or collaborator) can only access the data they actually need, your system must offer differentiated access control (reading, writing, deletion, etc.) based on the user’s needs. A global mechanism for user profile management makes it possible to group different rights by roles that a group of users exercises within the application.

  • Management of user profiles can be combined with logging systems to track activities and detect security-related events, such as fraudulent access or misuse of personal data. These systems must not be used for purposes other than ensuring correct use of the IT system. Logs must also not be retained longer than necessary – generally a period of six months is appropriate.

  • You can also plan code audits or penetration tests in your development environment to ensure the robustness of your profile management system.

Effective Management of Access Profiles

  • Plan to document or automate the transition of your employees. For example, there should be established procedures for what actions should be taken when a person no longer has authorization to a location or an IT resource, or when their contract expires.

  • Management of your users and collaborators requires regular review of permissions, as use and organizational structure change in your project. Use of directory services like Lightweight Directory Access Protocol (LDAP) can help you monitor these changes and fine-tune your access strategies – for example by assigning roles based on user profiles. This helps you better comply with the principle of least privilege (least privilege).

  • Use of “supreme” accounts (e.g., root, administrator, etc.) should be avoided for ordinary operations, as they constitute a critical part of your system and are an obvious target for potential attackers. We recommend:

    • Associating a strong password policy (10-20 characters or multi-factor authentication).
    • Limiting the number of people who know the access credentials to the absolute minimum.

  • Promote adoption of a password manager in your project and the transition to strong authentication where possible. Avoid generic accounts shared by multiple people.

Need a penetration test?

Contact us for a no-obligation conversation about your security needs.

Contact us